Unauthorized WOPI host for collabora-nginx using docker-compose

Mendoza · February 20, 2025, 7:19pm

Hello! Uhhh I’ve been trying to set up a collabora-online server in a local old laptop where I installed ubuntu, It took me some days to set the Nexcloud server, and then the collabora one between proxy issues and dns records

I’ve barely done anything with linux and know next to nothing at a technical level and english is not my native language so any try to solve my problem as been overwhelming. But I’ll try to provide as much information as possible so I’m not a pain for you all

I’ve managed to set up my DNS records (i use AAA ones since my ISP doenst provide a public ipv4) and im using

Ubuntu 22.04.5 LTS
Nextcloud 30.0.05
Collabora Online Development Edition 24.04.12.3
Nginx Proxy Manager
Cloudflare for my domain

Docker-compose.yml

version: '2.2'
services:
  nginxproxymanager:
    image: 'jc21/nginx-proxy-manager:latest'
    container_name: nginx
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - ./nginx/data:/data
      - ./nginx/letsencrypt:/etc/letsencrypt
    networks:
      - mynetwork

  nextcloud:
    image: lscr.io/linuxserver/nextcloud:latest
    container_name: nextcloud
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Mexico_City
    volumes:
      - ./nextcloud/appdata:/config
      - ./nextcloud/data:/data
    restart: unless-stopped
    networks:
      - mynetwork

  collabora:
    image: collabora/code:latest
    container_name: collabora
    restart: unless-stopped
    environment:
      - aliasgroup1=cloud\.domain\.com
      - PUID=1000
      - PGID=1000
      - username=username
      - password=password
      - DONT_GEN_SSL_CERT=1
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
    ports:
      - '9980:9980'
    volumes:
      - ./collabora/etc:/etc/coolwsd
    networks:
      - mynetwork

networks:
  mynetwork:
    enable_ipv6: true
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/16
        - subnet: 2001:db8:1::/64

coolwsd.xml

<!-- -*- nxml-child-indent: 4; tab-width: 4; indent-tabs-mode: nil -*- -->
<config>
	<server_name>collabora.domain.com</server_name>
	<port>9980</port>
	<wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true"></wopi>
	<host allow="true">https://cloud\.domain\.com:443</host>
	<host allow="true">localhost</host>
</config>

Logs from the Collabora’s docker

Ready to accept connections on port 9980.

wsd-00001-00001 2025-02-20 17:37:13.606273 +0000 [ coolwsd ] TRC  Have 1 new children.| wsd/COOLWSD.cpp:3684
wsd-00001-00001 2025-02-20 17:37:13.606286 +0000 [ coolwsd ] INF  WSD initialization complete: setting log-level to [warning] as configured.| wsd/COOLWSD.cpp:3699
wsd-00001-00001 2025-02-20 17:37:13.606901 +0000 [ coolwsd ] WRN  Waking up dead poll thread [main], started: false, finished: false| net/Socket.hpp:824
frk-00014-00014 2025-02-20 17:37:13.628240 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:590
frk-00014-00014 2025-02-20 17:37:13.687280 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:590
frk-00014-00014 2025-02-20 17:37:13.785856 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:590
wsd-00001-00021 2025-02-20 17:39:15.990555 +0000 [ websrv_poll ] ERR  No authorized hosts found matching the target host [cloud.domain.com] in config| wsd/RequestVettingStation.cpp:97
wsd-00001-00021 2025-02-20 17:39:16.067496 +0000 [ websrv_poll ] ERR  #30: No authorized hosts found matching the target host [cloud.domain.com] in config| wsd/RequestVettingStation.cpp:267
wsd-00001-00021 2025-02-20 17:39:16.249071 +0000 [ websrv_poll ] ERR  #30: No authorized hosts found matching the target host [cloud.domain.com] in config| wsd/RequestVettingStation.cpp:267

Image of the Admin > Office panel in Nextcloud:

What have I tried?
Almost anything I can think of, ive been editing both coolwsd.xml and docker-compose, scrambling through this forum’s responses, but no results, heres a list of some of the things ive tried

Add the domain as https://cloud.domain.com, https://cloud\\.domain\\.com, https://cloud\.domain\.com and cloud.domain.com to both the domain (which i think is depricated?) and aliasgroup1 (Individually) in docker-compose.yml
Do the same for the hosts in coolwsd.xml
Add hosts inside the WOPI “category?” (sorry I don’t know its name, the element in xml) and a net one too
I’ve already did a curl to both domains from my server, it works

If relevant here are some screenshots of my Nginx Panel for the collabora proxy (Everything is the same for the cloud one except for websockets and http being https):

(I tried to add a custom nginx configuration on the advanced tab, but I never managed to make collabora’s proxy be online whenever I tried it)

Sorry if i missed some part of crucial information, for me this is everything I’ve moved around so the solution might be lying anything, and sorry for the bad english '. .) I appreciate if anyone has even stuck this far to read this.

wwe · February 20, 2025, 8:19pm

hi @Mendoza welcome to the forum

nice first post - I wished more people would do it in the same way.

you find the right syntax to aliasgroups in Important changes regarding COOL/CODE docker versions from v21.11.3.6 on (multiple domains setup)

btw: I’m almost sure this variables are useless in CODE:

Mendoza · February 20, 2025, 8:54pm

Thanks for the quick response!

Is the .env file required? I addded the domain directly to the aliasgroup1 as:

aliasgroup1=https://cloud.domain.com:443 but i still get the same error

Sorry if it’s a dumb question

I also removed the PUID and PGID environment variables, and you were right! thanks

Btw, quick question, i dont need to add the IPs to the WOPI allow list on the nextcloud admin pannel, right? I assumed that if i added there the wrong ip it would just replicate an error without me knowing, and I think that if I left it empty it wouldnt cause an issue while i solve this other error.

wwe · February 20, 2025, 9:14pm

is is completely different thing - it controls which CODE/COOL instance can connect to NC server. this check only works on IP level and often you need to add your public IP. see wopi_allowlist - and many other threads: use search for details review Collabora integration guide

Mendoza · February 21, 2025, 3:41pm

Ah i see! thanks for clarifying! I still get the invalid wopi host error though, any directions into what logs or what things i could do?

That_Dude · May 18, 2025, 9:45pm

Hi @Mendoza,

I am not sure if you are still looking into this. I also want to say that i am a total newbie, but I came across your post looking into a similar issue. In terms to logs to inspect, I would look into the nextcloud or nginx logs. Likely you can find a statement like the code snippet below. This showed me that the request was coming in from 10.0.0.1 which is my LAN gateway. It may give you an IP like this such that you can find out where the denied request is coming from. I don’t really know much more than that, but thought maybe it would be helpful.

This is a redacted entry from (in my case) an nginx docker container.

{"reqId":"Vpc5EWcZl9wmz9vXNBKQ","level":2,"time":"2025-05-11T16:25:52+00:00","remoteAddr":"10.0.0.1","user":false,"app":"richdocuments","method":"GET","url":"/index.php/apps/richdocuments/wopi/files/19_ochl6ujj3gev?access_token=access_token&access_token_ttl=0&permission=edit","message":"WOPI request denied from 10.0.0.1 as it does not match the configured ranges: https://collabora.MYFQDN.com","userAgent":"COOLWSD HTTP Agent 25.04.1.1","version":"31.0.4.1","data":{"app":"richdocuments"}}

In that entry, I found that the request which was being denied was coming from 10.0.0.1 instead of collabora.MYFQDN.com.

system · May 21, 2025, 7:19pm

This topic was automatically closed after 90 days. New replies are no longer allowed.